The Bangko Sentral ng Pilipinas recently issued a circular requiring all BSP supervised institutions to implement 3DES and EMV in particular, along with reporting framework for improving IT security in general.
Enhanced bank security requirements of BSP Circular 808
1. Simoun Ung
Chairman, AmCham Security Disaster Resource Group Committee
Vice Chairman, Bastion Payment Systems Corporation
2. Approved by BSP 1 AUG 2013
Board approved migration plan must be
submitted to BSP no later than 1 FEB 2014, six
months from circular date
Compliance required no later than 1 JAN 2015
3. Enhanced information-technology risk
management (ITRM) framework;
Updates I.T. related portions of current Manual
of Regulations for Banks (MORB);
Aims to strengthen the retail electronic
payment infrastructure of the nation;
Aims to enhance protection against ATM and
credit card fraud.
4. The new regulation covers:
All banks;
Non-bank financial institutions;
Electronic money issuers;
Other non-bank entities subject to BSP supervision or
regulation.
5. Requires overall alignment of IT governance
and models with overall business strategy and
risk management/mitigation;
Requires maintenance of a risk identification
and assessment process to continually look at
threats and address them;
6. Establishment of an overall IT risk mitigation
strategy, customized to the threats likely to face
the institution:
Information security;
Project management, acquisition and
change management;
I.T. operations;
I.T. outsourcing and vendor management;
Electronic products and services.
7. 3 DES: Triple Data
Encryption Algorithm
applied thrice to each
data block
Requires implementation
of end-to-end Triple DES
for all ATMs by
1JAN2015
New ATMs installed
should be Triple DES
compliant
8. EMV: Europay,
MasterCard and Visa
originated standard for
integrated circuit cards
EMV Chip cards must be
implemented by 1JAN
2017;
Implementation plans
must be submitted by
1FEB2014, six months
from date of circular.
9.
10. Cloud security and its affect on our services
and security;
Payment Card Industry Data Security
Standards (PCI DSS)
Card Not Present Transactions;
EMV Security and Organized Criminal Groups;
ATM Security and Organized Criminal
Groups;
Other threats